My RSA is 8.3 version and user limit is 40 and have 35 authenticators. I don't know why it shows autual have 36 in the security console. pls help me!
My RSA is 8.3 version and user limit is 40 and have 35 authenticators. I don't know why it shows autual have 36 in the security console. pls help me!
Hi James Leong ,
Can you check any one of the user have fixed pass code.
thanks
Rajesh [M.Tech Products Pte ltd]
Yes, It is me. I use that for login My RSA.
HI,
Yes, it is me. I use it to login my RSA. Is it that?
James
Hi James,
Fixed pass-code also count it as Authenticator.
you can check it by removing it for you and login in to SC console using another account.
thanks
Rajesh [M.Tech Products Pte ltd]
Yes, do u have a guide line?
Active User Limit is a count of 'registered' users who have at least one authenticator (Hard/Soft Token, Fixed Passcode, On-demand or RBA assigned users) in the internal database. Sometimes this problem is a misunderstanding of who counts, confusion comes from RSA e.g. calling the On-Demand user authenticator a license. But there are at least two other ways there can be a real problem in what is reported in Active User Limit and what you are using:
1. If a user from an external LDAP Identity Source had any authenticator assinged, and then that same user was deleted from the external LDAP Identity Source, the assigned authenticator is still assigned and the user still counts once against the active user limit until you run a Clean-up. External Identity Source Clean-up, either scheduled or Now, unassigns the authenticator and makes it available to other users, and removes the 'registration' of the user in the internal database, lowering the count of active users.
2. Sometimes something happens in LDAP, or actually two or more changes happen in LDAP that make it hard to locate the user in LDAP, resulting in a situation where the user cannot be cleaned up. By two changes I mean two changes at the same time, e.g. the user's last name changes And their location in LDAP changes (DN). If only one change happens, AM is pretty good a learning the change, (OK at AM 8.1, much better at 8.1 SP1 P15 into 8.2 and higher) in real time, but two changes at the same time in AD is asking for trouble.
Look at the KB 000030005 - How to get an accurate active user license count in RSA Authentication Manager 8.1 using SQL
and if you need help, just open a case with support.
HI,
No other authenticator found except hardware token, but the amount sum are 35, not 36.
James
That is why you must run the SQL select from KB 30005
SELECT loginuid, authenticator_bit_flags FROM rsa_rep.IMS_PRINCIPAL_DATA ipd WHERE authenticator_bit_flags IS NOT NULL;
loginuid | authenticator_bit_flags
--------------------------------------------
trustedapp | 1000000000
@PROXYUSER@ | 100
administrator | 1001000
. . .
(37 rows) = 35 users and 2 system accounts, my guess is your number will be 38. With this list you can determine who the UserID is that counts but you cannot see in Security Console, and we would remove him with SQL or an LDAP search filter then clean-up
For my case, I have
<a_rep.IMS_PRINCIPAL_DATA ipd WHERE authenticator_bit_flags IS NOT NULL;
loginuid | authenticator_bit_flags
Hi,
Finally, I find out the outstanding user, and the license count is correct. Thank you!
James
HI, I have run all user report, all users do not have fixed passcode and soft token.
Active User Limit is a count of 'registered' users who have at least one authenticator (Hard/Soft Token, Fixed Passcode, On-demand or RBA assigned users) in the internal database. Sometimes this problem is a misunderstanding of who counts, confusion comes from RSA e.g. calling the On-Demand user authenticator a license. But there are at least two other ways there can be a real problem in what is reported in Active User Limit and what you are using:
1. If a user from an external LDAP Identity Source had any authenticator assinged, and then that same user was deleted from the external LDAP Identity Source, the assigned authenticator is still assigned and the user still counts once against the active user limit until you run a Clean-up. External Identity Source Clean-up, either scheduled or Now, unassigns the authenticator and makes it available to other users, and removes the 'registration' of the user in the internal database, lowering the count of active users.
2. Sometimes something happens in LDAP, or actually two or more changes happen in LDAP that make it hard to locate the user in LDAP, resulting in a situation where the user cannot be cleaned up. By two changes I mean two changes at the same time, e.g. the user's last name changes And their location in LDAP changes (DN). If only one change happens, AM is pretty good a learning the change, (OK at AM 8.1, much better at 8.1 SP1 P15 into 8.2 and higher) in real time, but two changes at the same time in AD is asking for trouble.
Look at the KB 000030005 - How to get an accurate active user license count in RSA Authentication Manager 8.1 using SQL
and if you need help, just open a case with support.